5.0 Configuring the Password Filter

Password Filter automatically updates the LDAP Password stored inside Advanced Authentication, whenever the password is changed or reset in the Active Directory. This helps you to authenticate without getting any prompt to synchronize the password after it is changed or reset.

NOTE:If you do not include the LDAP Password method in a chain, a prompt to perform a synchronization is displayed. Set Save LDAP password to ON in the LDAP Password method, the prompt is displayed only for the first time until the password is changed or reset. If you set this option to OFF, a prompt for synchronization is displayed each time.

The Figure 5-1 illustrates the situation when you do not use the Password Filter.

Figure 5-1

The Figure 5-2 illustrates the situation when you use the Password Filter.

Figure 5-2

Perform the following steps to configure the Password Filter in the Advanced Authentication Administration portal:

  1. Install the Advanced Authentication Logon Filter component on all Domain Controllers.

  2. Open the Advanced Authentication Administration portal.

  3. Goto to Endpoints.

  4. Edit the endpoints for all the Domain Controllers one-by-one and set Is trusted option to ON. Add a Description to save the changes.

  5. Enable the Password Filter through the Advanced Authentication Administration portal in Policies > Password filter for Active Directory.

  6. Set Update password on change to ON, to enable updating of the LDAP password in Advanced Authentication, when the password is changed in the Active Directory. This helps you to authenticate without getting any prompt to synchronize the password after it is changed. If Update password on change is set to OFF, user will get a request to synchronize the password while logging in to Windows, if the user has changed the password.

  7. Set Update password on reset to ON, to enable automatic update of the LDAP password in Advanced Authentication, when it is reset in the Active Directory. This helps you to authenticate without getting any prompt to sync the password if it is reset. If Update password on reset is set to OFF, user will get a request to synchronize the password while logging in to Windows, if the administrator has reset the user's password.

    NOTE:If Enable local caching is set to ON in the Cache Options and forceCachedLogon parameter is set to True, when the password is changed or reset in the Active Directory. Then, a user is prompted to synchronize the password while logging in to Windows Client irrespective of the status of the following Password Filter for AD settings:

    • Update password on change

    • Update password on reset

    If forceCachedLogon set as False, the Password Filter works according to the settings configured in the Password Filter for AD policy

    If Enable local caching is set to OFF, the Password Filter works according to the settings configured in the Password Filter for AD policy.

NOTE:Endpoint for Password Filter must be trusted. To set this option, open the Advanced Authentication Administration portal > Endpoints, edit an endpoint of the Password Filter, set Is trusted flag to ON. Save the changes.